Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts.
[   22.045943] random: sshd: uninitialized urandom read (32 bytes read)
[   22.150186] audit: type=1400 audit(1571606177.288:7): avc:  denied  { map } for  pid=1779 comm="syz-executor467" path="/root/syz-executor467572496" dev="sda1" ino=16482 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
executing program
executing program
executing program
executing program
[   24.380398] ==================================================================
[   24.387861] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560
[   24.394855] Read of size 8 at addr ffff8881cbf742b8 by task kworker/1:1/33
[   24.401861] 
[   24.403471] CPU: 1 PID: 33 Comm: kworker/1:1 Not tainted 4.14.150+ #0
[   24.410138] Workqueue: events xfrm_state_gc_task
[   24.415480] Call Trace:
[   24.418070]  dump_stack+0xca/0x134
[   24.421588]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   24.426247]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   24.430985]  print_address_description+0x60/0x226
[   24.435892]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   24.440577]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   24.445339]  __kasan_report.cold+0x1a/0x41
[   24.449571]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   24.454225]  xfrm6_tunnel_destroy+0x4e0/0x560
[   24.458720]  ? kfree+0x1ca/0x3a0
[   24.462072]  xfrm_state_gc_task+0x3d6/0x550
[   24.466374]  ? xfrm_state_unregister_afinfo+0x190/0x190
[   24.471812]  ? lock_acquire+0x12b/0x360
[   24.475800]  process_one_work+0x7f1/0x1580
[   24.480031]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[   24.484697]  worker_thread+0xdd/0xdf0
[   24.488503]  ? process_one_work+0x1580/0x1580
[   24.493331]  kthread+0x31f/0x430
[   24.496684]  ? kthread_create_on_node+0xf0/0xf0
[   24.501332]  ret_from_fork+0x3a/0x50
[   24.505046] 
[   24.506657] Allocated by task 1787:
[   24.510266]  __kasan_kmalloc.part.0+0x53/0xc0
[   24.514741]  ops_init+0xee/0x3f0
[   24.518255]  setup_net+0x259/0x550
[   24.521770]  copy_net_ns+0x195/0x480
[   24.525532]  create_new_namespaces+0x373/0x760
[   24.530100]  unshare_nsproxy_namespaces+0xa5/0x1e0
[   24.535023]  SyS_unshare+0x34e/0x6c0
[   24.538712]  do_syscall_64+0x19b/0x520
[   24.542574]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[   24.547746]  0xffffffffffffffff
[   24.550999] 
[   24.552603] Freed by task 369:
[   24.555774]  __kasan_slab_free+0x164/0x210
[   24.559982]  kfree+0x108/0x3a0
[   24.563148]  ops_free_list.part.0+0x1f9/0x330
[   24.567616]  cleanup_net+0x466/0x870
[   24.571315]  process_one_work+0x7f1/0x1580
[   24.575708]  worker_thread+0xdd/0xdf0
[   24.579485]  kthread+0x31f/0x430
[   24.582826]  ret_from_fork+0x3a/0x50
[   24.586513]  0xffffffffffffffff
[   24.589778] 
[   24.591392] The buggy address belongs to the object at ffff8881cbf74200
[   24.591392]  which belongs to the cache kmalloc-8192 of size 8192
[   24.604197] The buggy address is located 184 bytes inside of
[   24.604197]  8192-byte region [ffff8881cbf74200, ffff8881cbf76200)
[   24.616154] The buggy address belongs to the page:
[   24.621070] page:ffffea00072fdc00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   24.631032] flags: 0x4000000000010200(slab|head)
[   24.636048] raw: 4000000000010200 0000000000000000 0000000000000000 0000000100030003
[   24.643921] raw: dead000000000100 dead000000000200 ffff8881d6402400 0000000000000000
[   24.651791] page dumped because: kasan: bad access detected
[   24.657492] 
[   24.659097] Memory state around the buggy address:
[   24.664009]  ffff8881cbf74180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   24.672390]  ffff8881cbf74200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.679729] >ffff8881cbf74280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.687235]                                         ^
[   24.692415]  ffff8881cbf74300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.699763]  ffff8881cbf74380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   24.709083] ==================================================================
[   24.722452] Disabling lock debugging due to kernel taint
[   24.728348] Kernel panic - not syncing: panic_on_warn set ...
[   24.728348] 
[   24.735896] CPU: 1 PID: 33 Comm: kworker/1:1 Tainted: G    B           4.14.150+ #0
[   24.743794] Workqueue: events xfrm_state_gc_task
[   24.748534] Call Trace:
[   24.751110]  dump_stack+0xca/0x134
[   24.754628]  panic+0x1f1/0x3da
[   24.757954]  ? add_taint.cold+0x16/0x16
[   24.762097]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   24.766763]  end_report+0x43/0x49
[   24.770202]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   24.774849]  __kasan_report.cold+0xd/0x41
[   24.779065]  ? xfrm6_tunnel_destroy+0x4e0/0x560
[   24.783708]  xfrm6_tunnel_destroy+0x4e0/0x560
[   24.788431]  ? kfree+0x1ca/0x3a0
[   24.792397]  xfrm_state_gc_task+0x3d6/0x550
[   24.796710]  ? xfrm_state_unregister_afinfo+0x190/0x190
[   24.802052]  ? lock_acquire+0x12b/0x360
[   24.806036]  process_one_work+0x7f1/0x1580
[   24.810450]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[   24.815594]  worker_thread+0xdd/0xdf0
[   24.825128]  ? process_one_work+0x1580/0x1580
[   24.831198]  kthread+0x31f/0x430
[   24.838871]  ? kthread_create_on_node+0xf0/0xf0
[   24.848027]  ret_from_fork+0x3a/0x50
[   24.852588] Kernel Offset: 0x24c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   24.863845] Rebooting in 86400 seconds..