================================================================== BUG: KASAN: slab-out-of-bounds in erspan_build_header+0x392/0x3b0 net/ipv4/ip_gre.c:706 Read of size 2 at addr ffff88804302a34b by task syz-executor.3/16725 CPU: 0 PID: 16725 Comm: syz-executor.3 Not tainted 4.14.117 #8 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x19c lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0x11e/0x2db mm/kasan/report.c:393 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440 erspan_build_header+0x392/0x3b0 net/ipv4/ip_gre.c:706 erspan_xmit net/ipv4/ip_gre.c:748 [inline] erspan_xmit+0x3ec/0x11c0 net/ipv4/ip_gre.c:725 __netdev_start_xmit include/linux/netdevice.h:4033 [inline] netdev_start_xmit include/linux/netdevice.h:4042 [inline] packet_direct_xmit+0x438/0x640 net/packet/af_packet.c:269 packet_snd net/packet/af_packet.c:2973 [inline] packet_sendmsg+0x329f/0x5930 net/packet/af_packet.c:2998 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xd0/0x110 net/socket.c:656 ___sys_sendmsg+0x70c/0x850 net/socket.c:2062 __sys_sendmsg+0xb9/0x140 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2103 do_syscall_64+0x1eb/0x630 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x458da9 RSP: 002b:00007f39d9e61c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458da9 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f39d9e626d4 R13: 00000000004c6630 R14: 00000000004daf58 R15: 00000000ffffffff Allocated by task 16273: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552 __sigqueue_alloc+0x1da/0x400 kernel/signal.c:386 __send_signal+0x6d3/0x1280 kernel/signal.c:1083 send_signal+0x49/0xc0 kernel/signal.c:1149 specific_send_sig_info kernel/signal.c:1194 [inline] force_sig_info+0x243/0x350 kernel/signal.c:1246 do_trap+0x124/0x250 arch/x86/kernel/traps.c:280 do_error_trap+0x153/0x310 arch/x86/kernel/traps.c:301 do_stack_segment+0x1b/0x20 arch/x86/kernel/traps.c:318 stack_segment+0x45/0x50 arch/x86/entry/entry_64.S:1095 Freed by task 16273: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x83/0x2b0 mm/slab.c:3758 __sigqueue_free.part.0+0x55/0x60 kernel/signal.c:409 __sigqueue_free kernel/signal.c:405 [inline] dequeue_synchronous_signal kernel/signal.c:713 [inline] get_signal+0xa7e/0x1a80 kernel/signal.c:2297 do_signal+0x86/0x1980 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0x15c/0x220 arch/x86/entry/common.c:159 prepare_exit_to_usermode+0x193/0x1f0 arch/x86/entry/common.c:198 retint_user+0x8/0x18 The buggy address belongs to the object at ffff88804302a2a0 which belongs to the cache sigqueue of size 160 The buggy address is located 11 bytes to the right of 160-byte region [ffff88804302a2a0, ffff88804302a340) The buggy address belongs to the page: page:ffffea00010c0a80 count:1 mapcount:0 mapping:ffff88804302a000 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff88804302a000 0000000000000000 0000000100000012 raw: ffffea000231b4e0 ffffea00026743a0 ffff88821f8b5b00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88804302a200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88804302a280: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb >ffff88804302a300: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff88804302a380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88804302a400: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb ==================================================================