==================================================================
BUG: KASAN: slab-out-of-bounds in ____bpf_clone_redirect net/core/filter.c:1768 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x2a7/0x2b0 net/core/filter.c:1759
Read of size 8 at addr ffff8881a0ec9fd0 by task syz-executor.0/32218

CPU: 0 PID: 32218 Comm: syz-executor.0 Not tainted 4.14.149+ #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xca/0x134 lib/dump_stack.c:53
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
 ____bpf_clone_redirect net/core/filter.c:1768 [inline]
 bpf_clone_redirect+0x2a7/0x2b0 net/core/filter.c:1759
 ___bpf_prog_run+0x2478/0x5510 kernel/bpf/core.c:1095

Allocated by task 32218:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501
 slab_post_alloc_hook mm/slab.h:439 [inline]
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2800 [inline]
 kmem_cache_alloc+0xee/0x360 mm/slub.c:2805
 __build_skb+0x30/0x2f0 net/core/skbuff.c:281
 build_skb+0x1a/0x1f0 net/core/skbuff.c:312
 bpf_prog_test_run_skb+0x16a/0x8c0 net/bpf/test_run.c:122
 bpf_prog_test_run kernel/bpf/syscall.c:1352 [inline]
 SYSC_bpf kernel/bpf/syscall.c:1624 [inline]
 SyS_bpf+0xa3b/0x3830 kernel/bpf/syscall.c:1569
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

Freed by task 31309:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463
 slab_free_hook mm/slub.c:1407 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3039 [inline]
 kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055
 kfree_skbmem net/core/skbuff.c:586 [inline]
 kfree_skbmem+0xa0/0x110 net/core/skbuff.c:580
 __kfree_skb net/core/skbuff.c:646 [inline]
 kfree_skb+0xeb/0x370 net/core/skbuff.c:663
 vti6_tnl_xmit+0x2ba/0x1660 net/ipv6/ip6_vti.c:570
 __netdev_start_xmit include/linux/netdevice.h:4033 [inline]
 netdev_start_xmit include/linux/netdevice.h:4042 [inline]
 xmit_one net/core/dev.c:3009 [inline]
 dev_hard_start_xmit+0x19f/0x8c0 net/core/dev.c:3025
 __dev_queue_xmit+0x11e0/0x1d00 net/core/dev.c:3525
 __bpf_tx_skb net/core/filter.c:1708 [inline]
 __bpf_redirect_common net/core/filter.c:1747 [inline]
 __bpf_redirect+0x603/0xa30 net/core/filter.c:1754
 ____bpf_clone_redirect net/core/filter.c:1787 [inline]
 bpf_clone_redirect+0x1ce/0x2b0 net/core/filter.c:1759
 ___bpf_prog_run+0x2478/0x5510 kernel/bpf/core.c:1095
 0xffffffffffffffff

The buggy address belongs to the object at ffff8881a0ec9dc0
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 304 bytes to the right of
 224-byte region [ffff8881a0ec9dc0, ffff8881a0ec9ea0)
The buggy address belongs to the page:
page:ffffea000683b240 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000200(slab)
raw: 4000000000000200 0000000000000000 0000000000000000 00000001800c000c
raw: dead000000000100 dead000000000200 ffff8881dab70200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881a0ec9e80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881a0ec9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881a0ec9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                 ^
 ffff8881a0eca000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881a0eca080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================