ip_tables: iptables: counters copy to user failed while replacing table
==================================================================
BUG: KASAN: slab-out-of-bounds in u32_match_it net/netfilter/xt_u32.c:49 [inline]
BUG: KASAN: slab-out-of-bounds in u32_mt+0x4fb/0x580 net/netfilter/xt_u32.c:94
Read of size 1 at addr ffff88804e8bf2f0 by task syz-executor.1/9153

CPU: 1 PID: 9153 Comm: syz-executor.1 Not tainted 4.14.180-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
 u32_match_it net/netfilter/xt_u32.c:49 [inline]
 u32_mt+0x4fb/0x580 net/netfilter/xt_u32.c:94
 ipt_do_table+0x897/0x16d0 net/ipv4/netfilter/ip_tables.c:301
 iptable_filter_hook+0x176/0x1e0 net/ipv4/netfilter/iptable_filter.c:47
 nf_hook_entry_hookfn include/linux/netfilter.h:108 [inline]
 nf_hook_slow+0xa5/0x1a0 net/netfilter/core.c:467
 nf_hook include/linux/netfilter.h:205 [inline]
 __ip_local_out+0x358/0x730 net/ipv4/ip_output.c:113
 ip_local_out+0x25/0x170 net/ipv4/ip_output.c:122
 ip_queue_xmit+0x7b2/0x1b20 net/ipv4/ip_output.c:504
 __tcp_transmit_skb+0x1654/0x2dd0 net/ipv4/tcp_output.c:1131
 tcp_transmit_skb net/ipv4/tcp_output.c:1147 [inline]
 tcp_xmit_probe_skb+0x2e2/0x390 net/ipv4/tcp_output.c:3679
 tcp_send_window_probe+0x113/0x140 net/ipv4/tcp_output.c:3688
 do_tcp_setsockopt.isra.0+0xee8/0x1c70 net/ipv4/tcp.c:2611
 tcp_setsockopt+0xa7/0xc0 net/ipv4/tcp.c:2828
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45ca29
RSP: 002b:00007f8ca495ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000505780 RCX: 000000000045ca29
RDX: 0004000000000013 RSI: 0000000000000006 RDI: 0000000000000004
RBP: 000000000078bf00 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020000100 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000b25 R14: 00000000004cd8e1 R15: 00007f8ca495f6d4

Allocated by task 9153:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node+0x4c/0x70 mm/slab.c:3689
 kmalloc_node include/linux/slab.h:530 [inline]
 kvmalloc_node+0x46/0xd0 mm/util.c:397
 kvmalloc include/linux/mm.h:531 [inline]
 xt_alloc_table_info+0x6a/0xe0 net/netfilter/x_tables.c:1062
 do_replace net/ipv4/netfilter/ip_tables.c:1127 [inline]
 do_ipt_set_ctl+0x1b1/0x39d net/ipv4/netfilter/ip_tables.c:1674
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt net/ipv4/ip_sockglue.c:1255 [inline]
 ip_setsockopt+0x94/0xb0 net/ipv4/ip_sockglue.c:1240
 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2451
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 1:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcb/0x260 mm/slab.c:3815
 cgroup_show_path+0x346/0x540 kernel/cgroup/cgroup.c:1690
 kernfs_sop_show_path+0x12b/0x1a0 fs/kernfs/mount.c:52
 show_mountinfo+0x225/0x860 fs/proc_namespace.c:142
 seq_read+0x4d2/0x1160 fs/seq_file.c:237
 __vfs_read+0xe4/0x610 fs/read_write.c:411
 vfs_read+0x131/0x330 fs/read_write.c:447
 SYSC_read fs/read_write.c:574 [inline]
 SyS_read+0xf2/0x210 fs/read_write.c:567
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff88804e8be840
 which belongs to the cache kmalloc-4096 of size 4096
The buggy address is located 2736 bytes inside of
 4096-byte region [ffff88804e8be840, ffff88804e8bf840)
The buggy address belongs to the page:
page:ffffea00013a2f80 count:1 mapcount:0 mapping:ffff88804e8be840 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff88804e8be840 0000000000000000 0000000100000001
raw: ffffea00013a2020 ffffea000101c7a0 ffff88812fe54dc0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88804e8bf180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88804e8bf200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88804e8bf280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
                                                             ^
 ffff88804e8bf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88804e8bf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================