==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data_offset include/linux/skbuff.h:3676 [inline]
BUG: KASAN: slab-out-of-bounds in skb_segment+0x14ba/0x37a0 net/core/skbuff.c:4000
Read of size 1410 at addr ffff888014f50ec2 by task syz-executor.5/20997

CPU: 0 PID: 20997 Comm: syz-executor.5 Not tainted 5.11.0-rc4-next-20210120-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:397 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:414
 check_region_inline mm/kasan/generic.c:180 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:186
 memcpy+0x20/0x60 mm/kasan/shadow.c:65
 memcpy include/linux/fortify-string.h:191 [inline]
 skb_copy_from_linear_data_offset include/linux/skbuff.h:3676 [inline]
 skb_segment+0x14ba/0x37a0 net/core/skbuff.c:4000
 tcp_gso_segment+0x33d/0x17e0 net/ipv4/tcp_offload.c:98
 tcp4_gso_segment net/ipv4/tcp_offload.c:51 [inline]
 tcp4_gso_segment+0x194/0x3a0 net/ipv4/tcp_offload.c:29
 inet_gso_segment+0x502/0x1110 net/ipv4/af_inet.c:1378
 skb_mac_gso_segment+0x26e/0x530 net/core/dev.c:3326
 gre_gso_segment+0x538/0x1310 net/ipv4/gre_offload.c:50
 inet_gso_segment+0x502/0x1110 net/ipv4/af_inet.c:1378
 skb_mac_gso_segment+0x26e/0x530 net/core/dev.c:3326
 __skb_gso_segment+0x330/0x6e0 net/core/dev.c:3399
 skb_gso_segment include/linux/netdevice.h:4712 [inline]
 validate_xmit_skb+0x69e/0xee0 net/core/dev.c:3644
 __dev_queue_xmit+0x988/0x2dd0 net/core/dev.c:4142
 neigh_hh_output include/net/neighbour.h:499 [inline]
 neigh_output include/net/neighbour.h:508 [inline]
 ip_finish_output2+0xeb6/0x21b0 net/ipv4/ip_output.c:230
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x396/0x640 net/ipv4/ip_output.c:290
 ip_finish_output+0x35/0x200 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip_output+0x196/0x310 net/ipv4/ip_output.c:432
 dst_output include/net/dst.h:441 [inline]
 ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:126
 iptunnel_xmit+0x5a3/0x9c0 net/ipv4/ip_tunnel_core.c:82
 ip_tunnel_xmit+0x1116/0x2b00 net/ipv4/ip_tunnel.c:806
 gre_tap_xmit+0x4ff/0x630 net/ipv4/ip_gre.c:730
 __netdev_start_xmit include/linux/netdevice.h:4762 [inline]
 netdev_start_xmit include/linux/netdevice.h:4776 [inline]
 xmit_one net/core/dev.c:3574 [inline]
 dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3590
 sch_direct_xmit+0x2e1/0xbd0 net/sched/sch_generic.c:313
 qdisc_restart net/sched/sch_generic.c:376 [inline]
 __qdisc_run+0x4ba/0x15f0 net/sched/sch_generic.c:384
 qdisc_run include/net/pkt_sched.h:136 [inline]
 qdisc_run include/net/pkt_sched.h:128 [inline]
 __dev_xmit_skb net/core/dev.c:3765 [inline]
 __dev_queue_xmit+0x1489/0x2dd0 net/core/dev.c:4119
 neigh_hh_output include/net/neighbour.h:499 [inline]
 neigh_output include/net/neighbour.h:508 [inline]
 ip_finish_output2+0xeb6/0x21b0 net/ipv4/ip_output.c:230
 __ip_finish_output net/ipv4/ip_output.c:308 [inline]
 __ip_finish_output+0x396/0x640 net/ipv4/ip_output.c:290
 ip_finish_output+0x35/0x200 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip_output+0x196/0x310 net/ipv4/ip_output.c:432
 dst_output include/net/dst.h:441 [inline]
 ip_local_out net/ipv4/ip_output.c:126 [inline]
 __ip_queue_xmit+0x8e9/0x1a00 net/ipv4/ip_output.c:532
 __tcp_transmit_skb+0x188c/0x38f0 net/ipv4/tcp_output.c:1405
 tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline]
 tcp_write_xmit+0xde7/0x6140 net/ipv4/tcp_output.c:2689
 __tcp_push_pending_frames+0xaa/0x390 net/ipv4/tcp_output.c:2869
 tcp_send_fin+0x117/0xbb0 net/ipv4/tcp_output.c:3426
 __tcp_close+0xaca/0x1170 net/ipv4/tcp.c:2739
 tcp_close+0x29/0xc0 net/ipv4/tcp.c:2829
 inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
 __sock_release+0xcd/0x280 net/socket.c:597
 sock_close+0x18/0x20 net/socket.c:1256
 __fput+0x283/0x920 fs/file_table.c:280
 task_work_run+0xdd/0x190 kernel/task_work.c:140
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:177 [inline]
 exit_to_user_mode_prepare+0x249/0x250 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:301 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:312
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x417b71
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe8202db20 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000417b71
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 0000000000001a11 R09: 000000009f553a15
R10: 00007ffe8202dc00 R11: 0000000000000293 R12: 000000000119ca00
R13: 000000000119ca00 R14: 00000000000003e8 R15: 000000000119c0dc

Allocated by task 21000:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:403 [inline]
 ____kasan_kmalloc mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc.constprop.0+0xa0/0xd0 mm/kasan/common.c:406
 kasan_slab_alloc include/linux/kasan.h:208 [inline]
 slab_post_alloc_hook mm/slab.h:518 [inline]
 slab_alloc_node mm/slub.c:2910 [inline]
 __kmalloc_node_track_caller+0x191/0x320 mm/slub.c:4584
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0xae/0x5a0 net/core/skbuff.c:210
 alloc_skb_fclone include/linux/skbuff.h:1150 [inline]
 sk_stream_alloc_skb+0x109/0xc30 net/ipv4/tcp.c:888
 tcp_fragment+0x1c6/0x15f0 net/ipv4/tcp_output.c:1569
 tcp_write_wakeup+0x462/0x610 net/ipv4/tcp_output.c:4052
 tcp_send_probe0+0x44/0x560 net/ipv4/tcp_output.c:4081
 tcp_probe_timer net/ipv4/tcp_timer.c:386 [inline]
 tcp_write_timer_handler+0x915/0xaf0 net/ipv4/tcp_timer.c:614
 tcp_release_cb+0x26a/0x360 net/ipv4/tcp_output.c:1107
 release_sock+0xb4/0x1b0 net/core/sock.c:3072
 tcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1460
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:817
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:345
 kvfree_call_rcu+0x104/0x7c0 kernel/rcu/tree.c:3549
 neigh_destroy+0x3ff/0x5f0 net/core/neighbour.c:858
 neigh_release include/net/neighbour.h:425 [inline]
 neigh_cleanup_and_release+0x1fd/0x340 net/core/neighbour.c:103
 neigh_del net/core/neighbour.c:193 [inline]
 neigh_remove_one+0x3cf/0x450 net/core/neighbour.c:214
 neigh_forced_gc net/core/neighbour.c:243 [inline]
 neigh_alloc net/core/neighbour.c:390 [inline]
 ___neigh_create+0x16aa/0x25d0 net/core/neighbour.c:578
 neigh_create include/net/neighbour.h:324 [inline]
 __neigh_lookup include/net/neighbour.h:521 [inline]
 __neigh_lookup include/net/neighbour.h:514 [inline]
 ndisc_router_discovery+0x1f5c/0x2ce0 net/ipv6/ndisc.c:1403
 ndisc_rcv+0x451/0x500 net/ipv6/ndisc.c:1771
 icmpv6_rcv+0x1014/0x19e0 net/ipv6/icmp.c:942
 ip6_protocol_deliver_rcu+0x2e8/0x1680 net/ipv6/ip6_input.c:433
 ip6_input_finish+0x7f/0x160 net/ipv6/ip6_input.c:474
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:483
 ip6_mc_input+0x411/0xea0 net/ipv6/ip6_input.c:577
 dst_input include/net/dst.h:447 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ipv6_rcv+0x28e/0x3c0 net/ipv6/ip6_input.c:307
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5319
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5433
 netif_receive_skb_internal net/core/dev.c:5538 [inline]
 netif_receive_skb+0x157/0x8e0 net/core/dev.c:5597
 tun_rx_batched.isra.0+0x460/0x720 drivers/net/tun.c:1449
 tun_get_user+0x23da/0x3690 drivers/net/tun.c:1896
 tun_chr_write_iter+0xe1/0x1d0 drivers/net/tun.c:1926
 call_write_iter include/linux/fs.h:1901 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x791/0xa30 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff888014f50800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 706 bytes to the right of
 1024-byte region [ffff888014f50800, ffff888014f50c00)
The buggy address belongs to the page:
page:000000007c92483b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f50
head:000000007c92483b order:2 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010041dc0
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888014f50d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888014f50e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888014f50e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff888014f50f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888014f50f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================