device syz3 entered promiscuous mode ================================================================== BUG: KASAN: slab-out-of-bounds in __tcp_hdrlen include/linux/tcp.h:35 [inline] BUG: KASAN: slab-out-of-bounds in tcp_hdrlen include/linux/tcp.h:40 [inline] BUG: KASAN: slab-out-of-bounds in qdisc_pkt_len_init net/core/dev.c:3171 [inline] BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x22b6/0x2300 net/core/dev.c:3477 Read of size 2 at addr ffff8801ce613040 by task syz-executor3/5184 CPU: 0 PID: 5184 Comm: syz-executor3 Not tainted 4.15.0-rc6-mm1+ #51 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x137/0x198 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23b/0x360 mm/kasan/report.c:412 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431 __tcp_hdrlen include/linux/tcp.h:35 [inline] tcp_hdrlen include/linux/tcp.h:40 [inline] qdisc_pkt_len_init net/core/dev.c:3171 [inline] __dev_queue_xmit+0x22b6/0x2300 net/core/dev.c:3477 dev_queue_xmit+0x17/0x20 net/core/dev.c:3566 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x31d5/0x5720 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 sock_write_iter+0x21d/0x3a0 net/socket.c:907 call_write_iter include/linux/fs.h:1775 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x550/0x740 fs/read_write.c:482 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xd4/0x1a0 fs/read_write.c:581 entry_SYSCALL_64_fastpath+0x23/0x9a RIP: 0033:0x452ac9 RSP: 002b:00007fea1a07fc58 EFLAGS: 00000212 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 0000000000000086 RSI: 0000000020c44f7a RDI: 0000000000000015 RBP: 000000000000005c R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ee940 R13: 00000000ffffffff R14: 00007fea1a0806d4 R15: 0000000000000000 Allocated by task 3701: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541 kmem_cache_zalloc include/linux/slab.h:694 [inline] get_empty_filp+0x8f/0x3c0 fs/file_table.c:122 path_openat+0xb2/0x26e0 fs/namei.c:3514 do_filp_open+0x19d/0x290 fs/namei.c:3572 do_sys_open+0x336/0x4b0 fs/open.c:1059 SYSC_open fs/open.c:1077 [inline] SyS_open+0x2d/0x40 fs/open.c:1072 entry_SYSCALL_64_fastpath+0x23/0x9a Freed by task 16: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 __cache_free mm/slab.c:3485 [inline] kmem_cache_free+0x86/0x2b0 mm/slab.c:3743 file_free_rcu+0x5c/0x70 fs/file_table.c:49 __rcu_reclaim kernel/rcu/rcu.h:172 [inline] rcu_do_batch kernel/rcu/tree.c:2675 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2934 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2901 [inline] rcu_process_callbacks+0x5cf/0x1200 kernel/rcu/tree.c:2918 __do_softirq+0x23f/0x99f kernel/softirq.c:285 The buggy address belongs to the object at ffff8801ce6130c0 which belongs to the cache filp of size 456 The buggy address is located 128 bytes to the left of 456-byte region [ffff8801ce6130c0, ffff8801ce613288) The buggy address belongs to the page: page:ffffea00073984c0 count:1 mapcount:0 mapping:ffff8801ce6130c0 index:0xffff8801ce613840 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801ce6130c0 ffff8801ce613840 0000000100000005 raw: ffffea000736cd60 ffffea0007351620 ffff8801db230180 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801ce612f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801ce612f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ce613000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801ce613080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801ce613100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================