==================================================================
BUG: KASAN: out-of-bounds in check_canary_byte mm/kfence/core.c:211 [inline]
BUG: KASAN: out-of-bounds in for_each_canary mm/kfence/core.c:245 [inline]
BUG: KASAN: out-of-bounds in kfence_guarded_free+0x7f1/0x8f0 mm/kfence/core.c:374
Read of size 1 at addr ffff88823bdf6fb2 by task syz-executor.4/15591

CPU: 0 PID: 15591 Comm: syz-executor.4 Not tainted 5.10.0-next-20201223-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 check_canary_byte mm/kfence/core.c:211 [inline]
 for_each_canary mm/kfence/core.c:245 [inline]
 kfence_guarded_free+0x7f1/0x8f0 mm/kfence/core.c:374
 __kfence_free+0x70/0x150 mm/kfence/core.c:756
 do_slab_free mm/slub.c:3145 [inline]
 slab_free mm/slub.c:3158 [inline]
 kfree+0x57c/0x5c0 mm/slub.c:4156
 skb_free_head net/core/skbuff.c:595 [inline]
 pskb_expand_head+0xb0c/0x1040 net/core/skbuff.c:1662
 __skb_cow include/linux/skbuff.h:3170 [inline]
 skb_cow_head include/linux/skbuff.h:3204 [inline]
 ip_tunnel_xmit+0xede/0x2b00 net/ipv4/ip_tunnel.c:800
 ipgre_xmit+0x679/0x830 net/ipv4/ip_gre.c:648
 __netdev_start_xmit include/linux/netdevice.h:4776 [inline]
 netdev_start_xmit include/linux/netdevice.h:4790 [inline]
 xmit_one net/core/dev.c:3574 [inline]
 dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3590
 __dev_queue_xmit+0x21db/0x2dd0 net/core/dev.c:4151
 __bpf_tx_skb net/core/filter.c:2116 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2141 [inline]
 __bpf_redirect+0x52e/0xc60 net/core/filter.c:2164
 ____bpf_clone_redirect net/core/filter.c:2448 [inline]
 bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2420
 bpf_prog_d7d583f53caddbf0+0x56/0xb18
 bpf_dispatcher_nop_func include/linux/bpf.h:651 [inline]
 bpf_test_run+0x3f2/0xcc0 net/bpf/test_run.c:50
 bpf_prog_test_run_skb+0xabc/0x1c50 net/bpf/test_run.c:581
 bpf_prog_test_run kernel/bpf/syscall.c:3120 [inline]
 __do_sys_bpf+0x1ea9/0x4f10 kernel/bpf/syscall.c:4398
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e299
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5527758c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e299
RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
RBP: 000000000119bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c
R13: 00007fff7775856f R14: 00007f55277599c0 R15: 000000000119bf8c


============================================
WARNING: possible recursive locking detected
5.10.0-next-20201223-syzkaller #0 Not tainted
--------------------------------------------
syz-executor.4/15591 is trying to acquire lock:
ffffffff8efd9128 (&meta->lock){..-.}-{2:2}, at: kfence_handle_page_fault+0x201/0x650 mm/kfence/core.c:796

but task is already holding lock:
ffffffff8efd9128 (&meta->lock){..-.}-{2:2}, at: kfence_guarded_free+0x2d/0x8f0 mm/kfence/core.c:349

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&meta->lock);
  lock(&meta->lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

4 locks held by syz-executor.4/15591:
 #0: ffffffff8b363660 (rcu_read_lock){....}-{1:2}, at: bpf_test_run+0x116/0xcc0 net/bpf/test_run.c:28
 #1: ffffffff8b363600 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1d7/0x2dd0 net/core/dev.c:4085
 #2: ffffffff8efd9128 (&meta->lock){..-.}-{2:2}, at: kfence_guarded_free+0x2d/0x8f0 mm/kfence/core.c:349
 #3: ffffffff8b48af38 (report_lock){....}-{2:2}, at: start_report mm/kasan/report.c:83 [inline]
 #3: ffffffff8b48af38 (report_lock){....}-{2:2}, at: __kasan_report mm/kasan/report.c:388 [inline]
 #3: ffffffff8b48af38 (report_lock){....}-{2:2}, at: kasan_report+0x90/0x100 mm/kasan/report.c:413

stack backtrace:
CPU: 0 PID: 15591 Comm: syz-executor.4 Not tainted 5.10.0-next-20201223-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_deadlock_bug kernel/locking/lockdep.c:2761 [inline]
 check_deadlock kernel/locking/lockdep.c:2804 [inline]
 validate_chain kernel/locking/lockdep.c:3595 [inline]
 __lock_acquire.cold+0x15e/0x3b0 kernel/locking/lockdep.c:4832
 lock_acquire kernel/locking/lockdep.c:5437 [inline]
 lock_acquire+0x29d/0x740 kernel/locking/lockdep.c:5402
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:159
 kfence_handle_page_fault+0x201/0x650 mm/kfence/core.c:796
 no_context+0x540/0xa70 arch/x86/mm/fault.c:737
 __bad_area_nosemaphore+0xa9/0x3e0 arch/x86/mm/fault.c:844
 do_kern_addr_fault+0x5b/0x70 arch/x86/mm/fault.c:1233
 handle_page_fault arch/x86/mm/fault.c:1453 [inline]
 exc_page_fault+0x155/0x180 arch/x86/mm/fault.c:1511
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:580
RIP: 0010:print_track+0x1/0x29 mm/kasan/report.c:120
Code: 48 c7 c7 88 b3 c8 8a e8 da 1a ff ff e9 08 c0 ff f8 50 48 89 e6 e8 15 bd 1f fb 48 8b 3c 24 31 d2 89 c6 e8 38 e8 ab f8 5a c3 53 <8b> 17 48 89 fb 48 c7 c7 95 b8 c8 8a e8 ab 1a ff ff 8b 7b 04 85 ff
RSP: 0018:ffffc90001dcf2e8 EFLAGS: 00010086
RAX: ffff88823bdf7000 RBX: ffff888010042140 RCX: ffff88823bdf6000
RDX: 0000000000000fb2 RSI: ffffffff8ac71183 RDI: ffff88823bdf7000
RBP: ffffea0008ef7d80 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815ac52e R11: 0000000000000000 R12: ffff88823bdf6fb2
R13: ffff88823bdf6000 R14: ffff88823bdf7000 R15: ffff88823bdf6000
 describe_object_stacks mm/kasan/report.c:176 [inline]
 describe_object mm/kasan/report.c:206 [inline]
 print_address_description.constprop.0.cold+0x21a/0x2f8 mm/kasan/report.c:237
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 check_canary_byte mm/kfence/core.c:211 [inline]
 for_each_canary mm/kfence/core.c:245 [inline]
 kfence_guarded_free+0x7f1/0x8f0 mm/kfence/core.c:374
 __kfence_free+0x70/0x150 mm/kfence/core.c:756
 do_slab_free mm/slub.c:3145 [inline]
 slab_free mm/slub.c:3158 [inline]
 kfree+0x57c/0x5c0 mm/slub.c:4156
 skb_free_head net/core/skbuff.c:595 [inline]
 pskb_expand_head+0xb0c/0x1040 net/core/skbuff.c:1662
 __skb_cow include/linux/skbuff.h:3170 [inline]
 skb_cow_head include/linux/skbuff.h:3204 [inline]
 ip_tunnel_xmit+0xede/0x2b00 net/ipv4/ip_tunnel.c:800
 ipgre_xmit+0x679/0x830 net/ipv4/ip_gre.c:648
 __netdev_start_xmit include/linux/netdevice.h:4776 [inline]
 netdev_start_xmit include/linux/netdevice.h:4790 [inline]
 xmit_one net/core/dev.c:3574 [inline]
 dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3590
 __dev_queue_xmit+0x21db/0x2dd0 net/core/dev.c:4151
 __bpf_tx_skb net/core/filter.c:2116 [inline]
 __bpf_redirect_no_mac net/core/filter.c:2141 [inline]
 __bpf_redirect+0x52e/0xc60 net/core/filter.c:2164
 ____bpf_clone_redirect net/core/filter.c:2448 [inline]
 bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2420
 bpf_prog_d7d583f53caddbf0+0x56/0xb18
 bpf_dispatcher_nop_func include/linux/bpf.h:651 [inline]
 bpf_test_run+0x3f2/0xcc0 net/bpf/test_run.c:50
 bpf_prog_test_run_skb+0xabc/0x1c50 net/bpf/test_run.c:581
 bpf_prog_test_run kernel/bpf/syscall.c:3120 [inline]
 __do_sys_bpf+0x1ea9/0x4f10 kernel/bpf/syscall.c:4398
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45e299
Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f5527758c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045e299
RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
RBP: 000000000119bfc0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000119bf8c
R13: 00007fff7775856f R14: 00007f55277599c0 R15: 000000000119bf8c