BUG: KASAN: wild-memory-access in memcpy include/linux/string.h:339 [inline]
BUG: KASAN: wild-memory-access in skb_copy_ubufs+0xc51/0x1940 net/core/skbuff.c:1229
Read of size 4096 at addr 2efd803c991bc8dc by task syz-executor1/4406

CPU: 0 PID: 4406 Comm: syz-executor1 Not tainted 4.13.0-rc5-next-20170815+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 kasan_report_error mm/kasan/report.c:349 [inline]
 kasan_report+0x12e/0x340 mm/kasan/report.c:409
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
 memcpy+0x23/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:339 [inline]
 skb_copy_ubufs+0xc51/0x1940 net/core/skbuff.c:1229
syz-executor6 invoked oom-killer: gfp_mask=0x17080c0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOTRACK), nodemask=(null),  order=0, oom_score_adj=0
syz-executor6 cpuset=/ mems_allowed=0-1
 skb_orphan_frags_rx include/linux/skbuff.h:2548 [inline]
 __netif_receive_skb_core+0x2084/0x33d0 net/core/dev.c:4415
 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4456
 netif_receive_skb_internal+0x10b/0x5e0 net/core/dev.c:4527
 netif_receive_skb+0xae/0x390 net/core/dev.c:4551
 tun_rx_batched.isra.43+0x5e7/0x860 drivers/net/tun.c:1221
 tun_get_user+0x11dd/0x2150 drivers/net/tun.c:1542
 tun_chr_write_iter+0xd8/0x190 drivers/net/tun.c:1568
 call_write_iter include/linux/fs.h:1742 [inline]
 new_sync_write fs/read_write.c:457 [inline]
 __vfs_write+0x684/0x970 fs/read_write.c:470
 vfs_write+0x189/0x510 fs/read_write.c:518
 SYSC_write fs/read_write.c:565 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:557
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x40bab1
RSP: 002b:00007fd192bcbc00 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000002a RCX: 000000000040bab1
RDX: 000000000000002a RSI: 0000000020f01000 RDI: 0000000000000003
RBP: 00007ffed3608c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fd192bcc9c0 R15: 00007fd192bcc700
==================================================================
CPU: 3 PID: 4454 Comm: syz-executor6 Not tainted 4.13.0-rc5-next-20170815+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 dump_header+0x234/0xa0e mm/oom_kill.c:421
 oom_kill_process+0x86d/0x13d0 mm/oom_kill.c:810
 out_of_memory+0x7dd/0x11d0 mm/oom_kill.c:1024
 __alloc_pages_may_oom mm/page_alloc.c:3327 [inline]
 __alloc_pages_slowpath+0x1eae/0x2ee0 mm/page_alloc.c:4038
 __alloc_pages_nodemask+0x9f7/0xd80 mm/page_alloc.c:4193
 alloc_pages_current+0xb6/0x1e0 mm/mempolicy.c:2041
 alloc_pages include/linux/gfp.h:505 [inline]
 pte_alloc_one+0x19/0x100 arch/x86/mm/pgtable.c:28
 __pte_alloc+0x2a/0x300 mm/memory.c:645
 do_anonymous_page mm/memory.c:2974 [inline]
 handle_pte_fault mm/memory.c:3794 [inline]
 __handle_mm_fault+0x2a6b/0x3980 mm/memory.c:3921
 handle_mm_fault+0x3bb/0x940 mm/memory.c:3958
 __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1445
 trace_do_page_fault+0x141/0x730 arch/x86/mm/fault.c:1538
 do_async_page_fault+0x72/0xc0 arch/x86/kernel/kvm.c:266
 async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1097
RIP: 0033:0x40632e
RSP: 002b:00007ffce939a750 EFLAGS: 00010246
RAX: 0000000020fd5ff0 RBX: 0000000000000003 RCX: 0000000000000003
RDX: c8a1903d85ec70a6 RSI: 0000000000000000 RDI: 000000000252d840
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000d00000012
R10: 00007ffce939a7e0 R11: 0000000000000000 R12: fffffffffffffffe
R13: 00000000007080cc R14: 0000000000000007 R15: 0000000020fd5ff0
Mem-Info:
active_anon:10938 inactive_anon:42 isolated_anon:0
 active_file:794 inactive_file:736 isolated_file:32
 unevictable:0 dirty:56 writeback:0 unstable:0
 slab_reclaimable:5319 slab_unreclaimable:26802
 mapped:1273 shmem:49 pagetables:504 bounce:0
 free:10045 free_pcp:745 free_cma:0
Node 0 active_anon:22316kB inactive_anon:108kB active_file:512kB inactive_file:396kB unevictable:0kB isolated(anon):0kB isolated(file):128kB mapped:576kB dirty:96kB writeback:0kB shmem:116kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 69632kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
Node 1 active_anon:21436kB inactive_anon:60kB active_file:2664kB inactive_file:2548kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:4516kB dirty:128kB writeback:0kB shmem:80kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 2048kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
Node 0 DMA free:3744kB min:640kB low:800kB high:960kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 884 884 884
Node 0 DMA32 free:18884kB min:36500kB low:45624kB high:54748kB active_anon:22316kB inactive_anon:108kB active_file:416kB inactive_file:908kB unevictable:0kB writepending:96kB present:1032192kB managed:907904kB mlocked:0kB kernel_stack:2336kB pagetables:1264kB bounce:0kB free_pcp:1424kB local_pcp:624kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 1 DMA32 free:17552kB min:30440kB low:38048kB high:45656kB active_anon:21436kB inactive_anon:60kB active_file:2664kB inactive_file:3328kB unevictable:0kB writepending:128kB present:1048560kB managed:755224kB mlocked:0kB kernel_stack:2592kB pagetables:752kB bounce:0kB free_pcp:1556kB local_pcp:624kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 0*4kB 1*8kB (U) 0*16kB 0*32kB 0*64kB 1*128kB (U) 0*256kB 1*512kB (U) 1*1024kB (U) 1*2048kB (M) 0*4096kB = 3720kB
Node 0 DMA32: 510*4kB (UM) 335*8kB (UM) 179*16kB (ME) 75*32kB (UME) 36*64kB (ME) 12*128kB (UME) 2*256kB (UM) 2*512kB (ME) 2*1024kB (ME) 1*2048kB (M) 0*4096kB = 19456kB
Node 1 DMA32: 589*4kB (UME) 238*8kB (UM) 73*16kB (ME) 20*32kB (UME) 9*64kB (ME) 4*128kB (ME) 3*256kB (ME) 3*512kB (UME) 2*1024kB (UM) 3*2048kB (M) 0*4096kB = 17652kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
Node 1 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
1572 total pagecache pages
0 pages in swap cache
Swap cache stats: add 0, delete 0, find 0/0
Free swap  = 0kB
Total swap = 0kB
524186 pages RAM
0 pages HighMem/MovableOnly
104427 pages reserved
[ pid ]   uid  tgid total_vm      rss nr_ptes nr_pmds swapents oom_score_adj name
[ 1506]     0  1506     5349      521      16       3        0         -1000 udevd
[ 2761]     0  2761     5348      496      15       3        0         -1000 udevd
[ 2772]     0  2772     2493      635       8       3        0             0 dhclient
[ 2902]     0  2902    14237      489      23       3        0             0 rsyslogd
[ 2938]     0  2938     4725      423      14       3        0             0 cron
[ 2963]     0  2963    12490      493      28       3        0         -1000 sshd
[ 2988]     0  2988     3694      412      13       3        0             0 getty
[ 2989]     0  2989     3694      411      13       3        0             0 getty
[ 2990]     0  2990     3694      400      12       3        0             0 getty
[ 2991]     0  2991     3694      400      14       3        0             0 getty
[ 2992]     0  2992     3694      394      13       3        0             0 getty
[ 2993]     0  2993     3694      396      13       3        0             0 getty
[ 2994]     0  2994     3649      377      13       3        0             0 getty
[ 2995]     0  2995     5348      496      15       3        0         -1000 udevd
[ 3016]     0  3016    17820      581      37       3        0             0 sshd
[ 3018]     0  3018    40848     1778      21       5        0             0 syz-execprog
[ 3025]     0  3025     5297      113       6       2        0             0 syz-executor0
[ 3027]     0  3027     5297      132       7       3        0             0 syz-executor0
[ 3033]     0  3033     5297       97       7       2        0             0 syz-executor3
[ 3035]     0  3035     5297      113       5       2        0             0 syz-executor1
[ 3036]     0  3036     5297      112       6       2        0             0 syz-executor4
[ 3038]     0  3038     5297      133       6       3        0             0 syz-executor1
[ 3041]     0  3041     5297      133       8       3        0             0 syz-executor3
[ 3042]     0  3042     5297       96       6       2        0             0 syz-executor2
[ 3043]     0  3043     5297      131       7       3        0             0 syz-executor4
[ 3045]     0  3045     5297      114       6       2        0             0 syz-executor6
[ 3047]     0  3047     5297      132       7       3        0             0 syz-executor2
[ 3050]     0  3050     5297      113       6       2        0             0 syz-executor7
[ 3052]     0  3052     5297      133       7       3        0             0 syz-executor6
[ 3054]     0  3054     5348      496      15       3        0         -1000 udevd
[ 3057]     0  3057     5348      496      15       3        0         -1000 udevd
[ 3058]     0  3058     5297       96       6       2        0             0 syz-executor5
[ 3059]     0  3059     5297      132       7       3        0             0 syz-executor7
[ 3063]     0  3063     5348      256      15       3        0         -1000 udevd
[ 3071]     0  3071     5297      131       7       3        0             0 syz-executor5
[ 4406]     0  4373     9513     2723      14       4        0             0 syz-executor1
[ 4452]     0  4452     9480     1553      12       4        0             0 syz-executor3
[ 4454]     0  4454     9480     1553      11       4        0             0 syz-executor6
[ 4457]     0  4457     9480     1552      11       4        0             0 syz-executor2
Out of memory: Kill process 4373 (syz-executor1) score 6 or sacrifice child
Killed process 4406 (syz-executor1) total-vm:38052kB, anon-rss:10376kB, file-rss:516kB, shmem-rss:0kB