================================================================== BUG: KASAN: slab-out-of-bounds in pskb_may_pull include/linux/skbuff.h:2106 [inline] BUG: KASAN: slab-out-of-bounds in skb_ensure_writable+0x554/0x620 net/core/skbuff.c:5118 Read of size 4 at addr ffff8801b818bb40 by task syz-executor3/2488 CPU: 0 PID: 2488 Comm: syz-executor3 Not tainted 4.17.0-rc7+ #38 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 WARNING: CPU: 1 PID: 2485 at include/net/sock.h:644 sk_del_node_init include/net/sock.h:644 [inline] WARNING: CPU: 1 PID: 2485 at include/net/sock.h:644 smc_unhash_sk+0x345/0x4a0 net/smc/af_smc.c:85 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 Kernel panic - not syncing: panic_on_warn set ... print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 pskb_may_pull include/linux/skbuff.h:2106 [inline] skb_ensure_writable+0x554/0x620 net/core/skbuff.c:5118 __bpf_try_make_writable net/core/filter.c:1606 [inline] bpf_try_make_writable net/core/filter.c:1612 [inline] ____bpf_l3_csum_replace net/core/filter.c:1774 [inline] bpf_l3_csum_replace+0x8c/0x4d0 net/core/filter.c:1765 CPU: 1 PID: 2485 Comm: syz-executor2 Not tainted 4.17.0-rc7+ #38 Allocated by task 4430: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 Call Trace: set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 skb_clone+0x1ed/0x4f0 net/core/skbuff.c:1282 panic+0x22f/0x4de kernel/panic.c:184 dev_queue_xmit_nit+0x44a/0xc50 net/core/dev.c:1987 xmit_one net/core/dev.c:3048 [inline] dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3068 sch_direct_xmit+0x472/0x1120 net/sched/sch_generic.c:327 qdisc_restart net/sched/sch_generic.c:390 [inline] __qdisc_run+0x611/0x19e0 net/sched/sch_generic.c:398 qdisc_run include/net/pkt_sched.h:118 [inline] __dev_xmit_skb net/core/dev.c:3247 [inline] __dev_queue_xmit+0x1417/0x3900 net/core/dev.c:3555 __warn.cold.8+0x163/0x1b3 kernel/panic.c:536 dev_queue_xmit+0x17/0x20 net/core/dev.c:3620 neigh_hh_output include/net/neighbour.h:473 [inline] neigh_output include/net/neighbour.h:481 [inline] ip_finish_output2+0x1046/0x1840 net/ipv4/ip_output.c:229 report_bug+0x252/0x2d0 lib/bug.c:186 ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1de/0x490 arch/x86/kernel/traps.c:296 NF_HOOK_COND include/linux/netfilter.h:276 [inline] ip_output+0x21b/0x850 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124 ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504 tcp_transmit_skb+0x1bea/0x3ec0 net/ipv4/tcp_output.c:1168 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 tcp_write_xmit+0x1626/0x5c00 net/ipv4/tcp_output.c:2363 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 __tcp_push_pending_frames+0xb2/0x290 net/ipv4/tcp_output.c:2536 RIP: 0010:sk_del_node_init include/net/sock.h:644 [inline] RIP: 0010:smc_unhash_sk+0x345/0x4a0 net/smc/af_smc.c:85 tcp_push+0x630/0x8a0 net/ipv4/tcp.c:735 RSP: 0018:ffff8801b81ff030 EFLAGS: 00010293 tcp_sendmsg_locked+0x2eaa/0x3ee0 net/ipv4/tcp.c:1410 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1447 RAX: ffff8801a6c00440 RBX: ffff8801ba529000 RCX: ffffffff8749800e RDX: 0000000000000000 RSI: ffffffff874980c5 RDI: 0000000000000005 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 RBP: ffff8801b81ff118 R08: ffff8801a6c00440 R09: ffffed00374a5210 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 R10: ffffed00374a5210 R11: ffff8801ba529083 R12: 1ffff1003703fe0a sock_write_iter+0x35a/0x5a0 net/socket.c:908 R13: ffff8801b81ff0f0 R14: ffffffff89720c60 R15: ffff8801ba529080 call_write_iter include/linux/fs.h:1784 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x64d/0x960 fs/read_write.c:487 vfs_write+0x1f8/0x560 fs/read_write.c:549 ksys_write+0xf9/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 4430: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 smc_release+0x36e/0x610 net/smc/af_smc.c:155 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 sock_release+0x96/0x1b0 net/socket.c:594 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 kfree_skbmem+0x13c/0x210 net/core/skbuff.c:582 sock_close+0x16/0x20 net/socket.c:1149 __kfree_skb net/core/skbuff.c:642 [inline] kfree_skb+0x19d/0x560 net/core/skbuff.c:659 __fput+0x34d/0x890 fs/file_table.c:209 packet_rcv_spkt+0x126/0x730 net/packet/af_packet.c:1847 dev_queue_xmit_nit+0x90c/0xc50 net/core/dev.c:2019 xmit_one net/core/dev.c:3048 [inline] dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3068 ____fput+0x15/0x20 fs/file_table.c:243 sch_direct_xmit+0x472/0x1120 net/sched/sch_generic.c:327 task_work_run+0x1e4/0x290 kernel/task_work.c:113 qdisc_restart net/sched/sch_generic.c:390 [inline] __qdisc_run+0x611/0x19e0 net/sched/sch_generic.c:398 qdisc_run include/net/pkt_sched.h:118 [inline] __dev_xmit_skb net/core/dev.c:3247 [inline] __dev_queue_xmit+0x1417/0x3900 net/core/dev.c:3555 dev_queue_xmit+0x17/0x20 net/core/dev.c:3620 neigh_hh_output include/net/neighbour.h:473 [inline] neigh_output include/net/neighbour.h:481 [inline] ip_finish_output2+0x1046/0x1840 net/ipv4/ip_output.c:229 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1aee/0x2730 kernel/exit.c:865 ip_finish_output+0x828/0xf80 net/ipv4/ip_output.c:317 NF_HOOK_COND include/linux/netfilter.h:276 [inline] ip_output+0x21b/0x850 net/ipv4/ip_output.c:405 dst_output include/net/dst.h:444 [inline] ip_local_out+0xc5/0x1b0 net/ipv4/ip_output.c:124 ip_queue_xmit+0x9d7/0x1f70 net/ipv4/ip_output.c:504 tcp_transmit_skb+0x1bea/0x3ec0 net/ipv4/tcp_output.c:1168 tcp_write_xmit+0x1626/0x5c00 net/ipv4/tcp_output.c:2363 __tcp_push_pending_frames+0xb2/0x290 net/ipv4/tcp_output.c:2536 tcp_push+0x630/0x8a0 net/ipv4/tcp.c:735 tcp_sendmsg_locked+0x2eaa/0x3ee0 net/ipv4/tcp.c:1410 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1447 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 sock_write_iter+0x35a/0x5a0 net/socket.c:908 call_write_iter include/linux/fs.h:1784 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x64d/0x960 fs/read_write.c:487 vfs_write+0x1f8/0x560 fs/read_write.c:549 ksys_write+0xf9/0x250 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801b818ba40 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 24 bytes to the right of 232-byte region [ffff8801b818ba40, ffff8801b818bb28) The buggy address belongs to the page: page:ffffea0006e062c0 count:1 mapcount:0 mapping:ffff8801b818b040 index:0x0 do_group_exit+0x16f/0x430 kernel/exit.c:968 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801b818b040 0000000000000000 000000010000000c raw: ffffea00072a3120 ffffea0006f46860 ffff8801d9a11080 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: get_signal+0x886/0x1960 kernel/signal.c:2482 ffff8801b818ba00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801b818ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801b818bb00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801b818bb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb do_signal+0x98/0x2040 arch/x86/kernel/signal.c:810 ffff8801b818bc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== kasan: CONFIG_KASAN_INLINE enabled exit_to_usermode_loop+0x28a/0x310 arch/x86/entry/common.c:162 kasan: GPF could be caused by NULL-ptr deref or user memory access prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:265 [inline] do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290 general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: --------------------------------- syz-exec-8849 0...2 104620691us : 0: }D syz-exec-8849 0...2 104620695us : 0: }D syz-exec-8849 0...2 104620697us : 0: }D entry_SYSCALL_64_after_hwframe+0x49/0xbe syz-exec-8849 0...2 104620698us : 0: }D RIP: 0033:0x4559f9 syz-exec-8849 0...2 104620700us : 0: }D RSP: 002b:00007f6c077dcc68 EFLAGS: 00000246 syz-exec-8849 0...2 104620701us : 0: }D ORIG_RAX: 000000000000002e syz-exec-8849 0...2 104620703us : 0: }D RAX: ffffffffffffffe0 RBX: 00007f6c077dd6d4 RCX: 00000000004559f9 syz-exec-8849 0...2 104620704us : 0: }D RDX: 0000000000000000 RSI: 0000000020001680 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 syz-exec-8849 0...2 104620706us : 0: }D R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff syz-exec-8849 0...2 104620708us : 0: }D R13: 00000000004c0c3d R14: 00000000004d0610 R15: 0000000000000000 syz-exec-8849 0...2 104620709us : 0: }D syz-exec-8849 0...2 104620710us : 0: }D syz-exec-8849 0...2 104620712us : 0: }D syz-exec-8849 0...2 104620714us : 0: }D syz-exec-8849 0...2 104620715us : 0: }D syz-exec-8849 0...2 104620717us : 0: }D syz-exec-8849 0...2 104620718us : 0: }D syz-exec-8849 0...2 104620720us : 0: }D syz-exec-8849 0...2 104620722us : 0: }D syz-exec-8849 0...2 104620723us : 0: }D syz-exec-8849 0...2 104620725us : 0: }D syz-exec-8849 0...2 104620727us : 0: }D syz-exec-8849 0...2 104620728us : 0: }D syz-exec-8849 0...2 104620730us : 0: }D syz-exec-8849 0...2 104620732us : 0: }D syz-exec-8849 0...2 104620733us : 0: }D syz-exec-8849 0...2 104620735us : 0: }D syz-exec-8849 0...2 104620736us : 0: }D syz-exec-8849 0...2 104620738us : 0: }D syz-exec-8849 0...2 104620739us : 0: }D syz-exec-8849 0...2 104620741us : 0: }D syz-exec-8849 0...2 104620743us : 0: }D syz-exec-8849 0...2 104620744us : 0: }D syz-exec-8849 0...2 104620746us : 0: }D syz-exec-8849 0...2 104620748us : 0: }D syz-exec-8849 0...2 104620750us : 0: }D syz-exec-8849 0...2 104620751us : 0: }D syz-exec-8849 0...2 104620753us : 0: }D syz-exec-8849 0...2 104620755us : 0: }D syz-exec-8849 0...2 104620756us : 0: }D syz-exec-8849 0...2 104620758us : 0: }D syz-exec-8849 0...2 104620759us : 0: }D syz-exec-8849 0...2 104620761us : 0: }D syz-exec-8849 0...2 104620762us : 0: }D syz-exec-8849 0...2 104620764us : 0: }D syz-exec-8849 0...2 104620766us : 0: }D syz-exec-8849 0...2 104620768us : 0: }D syz-exec-8849 0...2 104620769us : 0: }D syz-exec-8849 0...2 104620770us : 0: }D syz-exec-8849 0...2 104620772us : 0: }D syz-exec-8849 0...2 104620774us : 0: }D syz-exec-8849 0...2 104620775us : 0: }D syz-exec-8849 0...2 104620777us : 0: }D syz-exec-8849 0...2 104620779us : 0: }D syz-exec-8849 0...2 104620780us : 0: }D syz-exec-8849 0...2 104620782us : 0: }D syz-exec-8849 0...2 104620783us : 0: }D syz-exec-8849 0...2 104620785us : 0: }D syz-exec-8849 0...2 104620786us : 0: }D syz-exec-8849 0...2 104620788us : 0: }D syz-exec-8849 0...2 104620790us : 0: }D syz-exec-8849 0...2 104620791us : 0: }D syz-exec-8849 0...2 104620793us : 0: }D syz-exec-8849 0...2 104620795us : 0: }D syz-exec-8849 0...2 104620796us : 0: }D syz-exec-8849 0...2 104620798us : 0: }D syz-exec-8849 0...2 104620799us : 0: }D syz-exec-8849 0...2 104620801us : 0: }D syz-exec-8849 0...2 104620802us : 0: }D syz-exec-8849 0...2 104620804us : 0: }D syz-exec-8849 0...2 104620805us : 0: }D syz-exec-8849 0...2 104620807us : 0: }D syz-exec-8849 0...2 104620809us : 0: }D syz-exec-8849 0...2 104620810us : 0: }D syz-exec-8849 0...2 104620812us : 0: }D syz-exec-8849 0...2 104620813us : 0: }D syz-exec-8849 0...2 104620815us : 0: }D syz-exec-8849 0...2 104620816us : 0: }D syz-exec-8849 0...2 104620818us : 0: }D syz-exec-8849 0...2 104620820us : 0: }D syz-exec-8849 0...2 104620821us : 0: }D syz-exec-8849 0...2 104620823us : 0: }D syz-exec-8849 0...2 104620825us : 0: }D syz-exec-8849 0...2 104620826us : 0: }D syz-exec-8849 0...2 104620828us : 0: }D syz-exec-8849 0...2 104620830us : 0: }D syz-exec-8849 0...2 104620831us : 0: }D syz-exec-8849 0...2 104620833us : 0: }D syz-exec-8849 0...2 104620835us : 0: }D syz-exec-8849 0...2 104620837us : 0: }D syz-exec-8849 0...2 104620844us : 0: }D syz-exec-8849 0...2 104620845us : 0: }D syz-exec-8849 0...2 104620847us : 0: }D syz-exec-8849 0...2 104620848us : 0: }D syz-exec-8849 0...2 104620850us : 0: }D syz-exec-8849 0...2 104620851us : 0: }D syz-exec-8849 0...2 104620853us : 0: }D syz-exec-8849 0...2 104620854us : 0: }D syz-exec-8849 0...2 104620856us : 0: }D syz-exec-8849 0...2 104620857us : 0: }D syz-exec-8849 0...2 104620859us : 0: }D syz-exec-8849 0...2 104620860us : 0: }D syz-exec-8849 0...2 104620862us : 0: }D syz-exec-8849 0...2 104620863us : 0: }D syz-exec-8849 0...2 104620864us : 0: }D syz-exec-8849 0...2 104620866us : 0: }D syz-exec-8849 0...2 104620868us : 0: }D syz-exec-8849 0...2 104620869us : 0: }D syz-exec-8849 0...2 104620871us : 0: }D syz-exec-8849 0...2 104620872us : 0: }D syz-exec-8849 0...2 104620874us : 0: }D syz-exec-8849 0...2 104620875us : 0: }D syz-exec-8849 0...2 104620876us : 0: }D syz-exec-8849 0...2 104620878us : 0: }D syz-exec-8849 0...2 104620879us : 0: }D syz-exec-8849 0...2 104620881us : 0: }D syz-exec-8849 0...2 104620882us : 0: }D syz-exec-8849 0...2 104620884us : 0: }D syz-exec-8849 0...2 104620885us : 0: }D syz-exec-8849 0...2 104620887us : 0: }D syz-exec-8849 0...2 104620888us : 0: }D syz-exec-8849 0...2 104620890us : 0: }D syz-exec-8849 0...2 104620891us : 0: }D syz-exec-8849 0...2 104620892us : 0: }D syz-exec-8849 0...2 104620894us : 0: }D syz-exec-8849 0...2 104620895us : 0: }D syz-exec-8849 0...2 104620897us : 0: }D syz-exec-8849 0...2 104620898us : 0: }D syz-exec-8849 0...2 104620900us : 0: }D syz-exec-8849 0...2 104620901us : 0: }D syz-exec-8849 0...2 104620903us : 0: }D syz-exec-8849 0...2 104620904us : 0: }D syz-exec-8849 0...2 104620906us : 0: }D syz-exec-8849 0...2 104620907us : 0: }D syz-exec-8849 0...2 104620909us : 0: }D syz-exec-8849 0...2 104620910us : 0: }D syz-exec-8849 0...2 104620912us : 0: }D syz-exec-8849 0...2 104620913us : 0: }D syz-exec-8849 0...2 104620915us : 0: }D syz-exec-8849 0...2 104620916us : 0: }D syz-exec-8849 0...2 104620918us : 0: }D syz-exec-8849 0...2 104620919us : 0: }D syz-exec-8849 0...2 104620921us : 0: }D syz-exec-8849 0...2 104620922us : 0: }D syz-exec-8849 0...2 104620924us : 0: }D syz-exec-8849 0...2 104620925us : 0: }D syz-exec-8849 0...2 104620927us : 0: }D syz-exec-8849 0...2 104620928us : 0: }D syz-exec-8849 0...2 104620930us : 0: }D syz-exec-8849 0...2 104620931us : 0: }D syz-exec-8849 0...2 104620932us : 0: }D syz-exec-8849 0...2 104620934us : 0: }D syz-exec-8849 0...2 104620935us : 0: }D syz-exec-8849 0...2 104620937us : 0: }D syz-exec-8849 0...2 104620938us : 0: }D syz-exec-8849 0...2 104620940us : 0: }D syz-exec-8849 0...2 104620941us : 0: }D syz-exec-8849 0...2 104620943us : 0: }D syz-exec-8849 0...2 104620944us : 0: }D syz-exec-8849 0...2 104620946us : 0: }D syz-exec-8849 0...2 104620947us : 0: }D syz-exec-8849 0...2 104620949us : 0: }D syz-exec-8849 0...2 104620950us : 0: }D syz-exec-8849 0...2 104620952us : 0: }D syz-exec-8849 0...2 104620953us : 0: }D syz-exec-8849 0...2 104620955us : 0: }D syz-exec-8849 0...2 104620956us : 0: }D syz-exec-8849 0...2 104620957us : 0: }D syz-exec-8849 0...2 104620959us : 0: }D syz-exec-8849 0...2 104620962us : 0: }D syz-exec-8849 0...2 104620963us : 0: }D syz-exec-8849 0...2 104620965us : 0: }D syz-exec-8849 0...2 104620967us : 0: }D syz-exec-8849 0...2 104620994us : 0: }D syz-exec-8849 0...2 104620998us : 0: }D syz-exec-8849 0...2 104621001us : 0: }D syz-exec-8849 0...2 104621004us : 0: }D syz-exec-8849 0...2 104621007us : 0: }D syz-exec-8849 0...2 104621010us : 0: }D syz-exec-8849 0...2 104621013us : 0: }D syz-exec-8849 0...2 104621016us : 0: }D syz-exec-8849 0...2 104621019us : 0: }D syz-exec-8849 0...2 104621022us : 0: }D syz-exec-8849 0...2 104621025us : 0: }D syz-exec-8849 0...2 104621028us : 0: }D syz-exec-8849 0...2 104621031us : 0: }D syz-exec-8849 0...2 104621034us : 0: }D syz-exec-8849 0...2 104621037us : 0: }D syz-exec-8849 0...2 104621039us : 0: }D syz-exec-8849 0...2 104621043us : 0: }D syz-exec-8849 0...2 104621046us : 0: }D syz-exec-8849 0...2 104621049us : 0: }D syz-exec-8849 0...2 104621051us : 0: }D syz-exec-8849 0...2 104621055us : 0: }D syz-exec-8849 0...2 104621057us : 0: }D syz-exec-8849 0...2 104621060us : 0: }D syz-exec-8849 0...2 104621062us : 0: }D syz-exec-8849 0...2 104621063us : 0: }D syz-exec-8849 0...2 104621065us : 0: }D syz-exec-8849 0...2 104621066us : 0: }D syz-exec-8849 0...2 104621068us : 0: }D syz-exec-8849 0...2 104621070us : 0: }D syz-exec-8849 0...2 104621071us : 0: }D syz-exec-8849 0...2 104621073us : 0: }D syz-exec-8849 0...2 104621075us : 0: }D syz-exec-8849 0...2 104621076us : 0: }D