================================================================== BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735 Read of size 2 at addr ffff8801ccb7c00b by task syz-executor7/32627 CPU: 0 PID: 32627 Comm: syz-executor7 Not tainted 4.15.0-rc8+ #204 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440 erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735 __netdev_start_xmit include/linux/netdevice.h:4055 [inline] netdev_start_xmit include/linux/netdevice.h:4064 [inline] packet_direct_xmit+0x3ad/0x790 net/packet/af_packet.c:267 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 SYSC_sendto+0x361/0x5c0 net/socket.c:1721 SyS_sendto+0x40/0x50 net/socket.c:1689 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x452ef9 RSP: 002b:00007f58e6c8ac58 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000000000071bf58 RCX: 0000000000452ef9 RDX: 000000000000006c RSI: 000000002000b000 RDI: 0000000000000013 RBP: 0000000000000000 R08: 0000000020004000 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000 R13: 0000000000a2f7cf R14: 00007f58e6c8b9c0 R15: 000000000000000c Allocated by task 28435: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3544 kmem_cache_zalloc include/linux/slab.h:678 [inline] get_empty_filp+0xfb/0x4f0 fs/file_table.c:123 alloc_file+0x26/0x390 fs/file_table.c:164 sock_alloc_file+0x1f3/0x560 net/socket.c:411 SYSC_accept4+0x293/0x870 net/socket.c:1534 SyS_accept4 net/socket.c:1496 [inline] SYSC_accept net/socket.c:1579 [inline] SyS_accept+0x26/0x30 net/socket.c:1576 entry_SYSCALL_64_fastpath+0x29/0xa0 Freed by task 3714: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3488 [inline] kmem_cache_free+0x83/0x2a0 mm/slab.c:3746 file_free_rcu+0x5c/0x70 fs/file_table.c:50 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2758 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3012 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2979 [inline] rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2996 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 The buggy address belongs to the object at ffff8801ccb7c080 which belongs to the cache filp of size 456 The buggy address is located 117 bytes to the left of 456-byte region [ffff8801ccb7c080, ffff8801ccb7c248) The buggy address belongs to the page: page:ffffea000732df00 count:1 mapcount:0 mapping:ffff8801ccb7c080 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801ccb7c080 0000000000000000 0000000100000006 raw: ffffea0007041be0 ffffea0006ee51a0 ffff8801dae2c180 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801ccb7bf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ccb7bf80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8801ccb7c000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801ccb7c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ccb7c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================