==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in memcpy_dir crypto/scatterwalk.c:28 [inline]
BUG: KASAN: slab-out-of-bounds in scatterwalk_copychunks+0x26a/0x6c0 crypto/scatterwalk.c:43
Read of size 4096 at addr ffff88809f4f2000 by task syz-executor.3/11634

CPU: 0 PID: 11634 Comm: syz-executor.3 Not tainted 4.14.174-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:347 [inline]
 memcpy_dir crypto/scatterwalk.c:28 [inline]
 scatterwalk_copychunks+0x26a/0x6c0 crypto/scatterwalk.c:43
 scatterwalk_map_and_copy crypto/scatterwalk.c:72 [inline]
 scatterwalk_map_and_copy+0x100/0x1a0 crypto/scatterwalk.c:60
 gcmaes_encrypt.constprop.0+0x1c9/0xbd0 arch/x86/crypto/aesni-intel_glue.c:778

Allocated by task 7268:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 kmem_cache_alloc_node+0x148/0x7a0 mm/slab.c:3642
 __alloc_skb+0x9a/0x4c0 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:980 [inline]
 nlmsg_new include/net/netlink.h:511 [inline]
 br_ifinfo_notify.part.0+0x8a/0x180 net/bridge/br_netlink.c:469
 br_ifinfo_notify+0x23/0x30 net/bridge/br_netlink.c:462
 br_device_event+0x1cb/0x560 net/bridge/br.c:115
 notifier_call_chain+0x107/0x1a0 kernel/notifier.c:93
 call_netdevice_notifiers net/core/dev.c:1687 [inline]
 __dev_notify_flags+0xc4/0x210 net/core/dev.c:6834
 dev_change_flags+0xe6/0x130 net/core/dev.c:6867
 do_setlink+0x91b/0x2c00 net/core/rtnetlink.c:2092
 rtnl_newlink+0x11bb/0x1720 net/core/rtnetlink.c:2660
 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
 netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xc5/0x100 net/socket.c:656
 SYSC_sendto+0x1c4/0x2b0 net/socket.c:1763
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 7268:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x7c/0x2b0 mm/slab.c:3758
 kfree_skbmem+0x98/0x100 net/core/skbuff.c:586
 __kfree_skb net/core/skbuff.c:646 [inline]
 consume_skb+0xaf/0x330 net/core/skbuff.c:705
 netlink_broadcast_filtered+0x2b3/0x9d0 net/netlink/af_netlink.c:1489
 netlink_broadcast net/netlink/af_netlink.c:1511 [inline]
 nlmsg_multicast include/net/netlink.h:591 [inline]
 nlmsg_notify+0x126/0x170 net/netlink/af_netlink.c:2476
 br_ifinfo_notify.part.0+0xfa/0x180 net/bridge/br_netlink.c:480
 br_ifinfo_notify+0x23/0x30 net/bridge/br_netlink.c:462
 br_device_event+0x1cb/0x560 net/bridge/br.c:115
 notifier_call_chain+0x107/0x1a0 kernel/notifier.c:93
 call_netdevice_notifiers net/core/dev.c:1687 [inline]
 __dev_notify_flags+0xc4/0x210 net/core/dev.c:6834
 dev_change_flags+0xe6/0x130 net/core/dev.c:6867
 do_setlink+0x91b/0x2c00 net/core/rtnetlink.c:2092
 rtnl_newlink+0x11bb/0x1720 net/core/rtnetlink.c:2660
 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4315
 netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xc5/0x100 net/socket.c:656
 SYSC_sendto+0x1c4/0x2b0 net/socket.c:1763
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff88809f4f20c0
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 192 bytes to the left of
 232-byte region [ffff88809f4f20c0, ffff88809f4f21a8)
The buggy address belongs to the page:
page:ffffea00027d3c80 count:1 mapcount:0 mapping:ffff88809f4f20c0 index:0xffff88809f4f2700
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff88809f4f20c0 ffff88809f4f2700 0000000100000001
raw: ffffea0002134aa0 ffffea000260a7a0 ffff8880a9a4dd80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f4f1f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809f4f1f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809f4f2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff88809f4f2080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff88809f4f2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================